Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Reverting an admin to a limited user?

Sorry if this is the wrong place to ask this question. I'm not sure where else it should go, and since it's related to security I thought I might get the best answer here.

I've been running on a default account for Win 7 Professional (x64) since the RTM was released. I thought, at the time of installation, that the default user was not the administrator - But I've found that I was wrong on that point. I have the UAC set to maximum, by the way.

Anyhow, I'm interested in setting my user as a LUA now, and I've found fairly thorough instructions on how to do so online here. Before I take this plunge, though, I'm concerned about the impact this might have on my system stability and security. I have a number of applications that require administrator access during automated procedures - ESET NOD32 autoupdates itself, and obviously needs Admin access to do the automated scans that I have scheduled - not to mention the realtime access it requires. EVGA precision tool and RealTemp require Admin access to run. Beyond that, some programs autoupdate themselves, or record log files - Steam and my IM Client both engage in this behavior.

If I were to change my existing account to a LUA, would that break a lot of these programs? Would I still be able to run the programs I usually do, or patch the programs I need to? Would all of my programs fail to save logs, or fail to patch themselves, because they no longer have appropriate access levels?

In effect, would taking an administrator down to a standard user effectively break all of the applications installed under the Admin user?

Running as a standard user seems like a good security measure, but if it compromises stability and functionality, I'd like to avoid that before I fiddle with things I shouldn't.

If you are running with UAC on full then in effect you are already running as a standard user

The default (first) user in win7 is using a dual token security system.
The normal state is that the user has the rights of a member of the users group and UAC will prompt you when it needs to gain membership of the Administrators group.

If you create a standard user and keep UAC at the same level then it will act the same except that it will prompt for the User name and password of a member of the administrators group.

You have to have at least one member of the Administrators group so if you wish to demote your current user you will need to create an second user as an admin.

I personally find the UAC a convenience as my former practice was to run as a standard user and manually "run as Administrator" UAC provides me with the same security without the hassle

It is possible through Group Policy to require the user to supply a password even when running the "admin" account under UAC if you require that extra step to prevent the automatic "click without thinking" response to the prompt

Thanks to you both for the information! Very useful stuff. I did not know that the default user with maximum UAC was actually a standard account. That gives me a little more peace of mind.

I should clarify - I intend to keep an administrator account around if I follow through with this plan. I would first make an admin-level account, one I don't plan to use for daily purposes. Afterward, I would then demote the current (default/first) account, so as to keep all my settings and files and whatnot. I realize that there's a possibility that I might lock myself out of the system by removing the admin if I don't do this first.

My main reasoning behind lowering the privileges of my current account is to set up SRP. I have professional, not ultimate, so Applocker is not accessible to me. However, manual SRP looks like something I can implement with a little research. So far, what I've been able to tell is that SRP will only work for an LUA, and can't be instated for an Admin user.

Thanks to you both for the information! Very useful stuff. I did not know that the default user with maximum UAC was actually a standard account. That gives me a little more peace of mind.

I should clarify - I intend to keep an administrator account around if I follow through with this plan. I would first make an admin-level account, one I don't plan to use for daily purposes. Afterward, I would then demote the current (default/first) account, so as to keep all my settings and files and whatnot. I realize that there's a possibility that I might lock myself out of the system by removing the admin if I don't do this first.

My main reasoning behind lowering the privileges of my current account is to set up SRP. I have professional, not ultimate, so Applocker is not accessible to me. However, manual SRP looks like something I can implement with a little research. So far, what I've been able to tell is that SRP will only work for an LUA, and can't be instated for an Admin user.

.

Here is a quote from an article by Mark Russinovich:

"Even processes elevated from standard user accounts can conceivably be compromised because of shared state. All the processes running in a logon session share the internal namespace where Windows stores objects such as events, mutexes, semaphores, and shared memory. If malware knows that an elevated process will try to open and read a specific shared memory object when the process starts, it could create the object with contents that trigger a buffer overflow to inject code into the elevated process. That type of attack is relatively sophisticated, but its possibility prevents OTS elevations from being a security boundary.

The bottom line is that elevations were introduced as a convenience that encourages users who want to access administrative rights to run with standard user rights by default. Users wanting the guarantees of a security boundary can trade off convenience by using a standard user account for daily tasks and Fast User Switching (FUS) to a dedicated administrator account to perform administrative operations. On the other hand, users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts dialog in the Control Panel, but should be aware that this also disables Protected Mode for Internet Explorer."

As I understand the above using an Admin account with UAC set to max does not provide the same security as using a LUA. If you want the best security and you're willing to put up with UAC prompts and entering passwords, then using a LUA is the way to go. Why not try it and see how it effects your applications? If it breaks something it's easy enough to change the limited user account back into an Admin account. As you've already noted make sure you create another Admin account before reducing privileges on your current account. By the way, "fast user switching" is a clever way to move between the accounts with minimal hassle - never occurred to me.

Reverting an admin to a limited user?

admin account gets downgraded to limited user accounthello every one
I was hoping if some one could help me at this.
I had created a local account in my machine which is a part of a small office network. and given it administrative rights. every once in a while the account gets downgraded to a limited user account and a I had to go all the way to...

General Discussion

Help icons show on admin but not limited useri installed Tixati and theres no start menu icon or in the all programs menu. it shows in add/remove programs. also i can create a short cut by right clicking the desktop .but if i switch to admin user theres icons in the start menu. same happens if i try to install utorrent:mad:

Software

Admin User Error5. CMD solutions failed. New User with ADMIN worksThank you!
I am admin ( WIN 7 Pro 64 computer 4 years old): In admin user default account, any and ALL open, and .exe functions denied.
CMD right click 'run as admin' (net user admin etc.) has no effect. Checking all folders I show FULL permission. Right click 'run as admin' has no effect...

General Discussion

TWO problems; allowing a limited user access to an admin folder1. So when I try to that, it goes FILE BY FILE but some cause a window to show up which reads: access denied!!
And I am admin, makes no sense!
2. When I am on a limited user and I try to access an admin folder or directory, or run application as admin I am asked to enter the admin's password....

Network & Sharing

New admin user acting differently than standard user changed to adminI have created two new user accounts. The first I set up as a standard account, logged on, did a few things, then logged off, logged on as my administrator account and editted the account to be an administrator. When I log back on as this account, it appears that the user still does not have...